LogoLogo
  • LFX Platform
  • Single Sign-On (SSO)
    • Create an Account
    • Sign in to Your Account
      • Sign in with Google
      • Sign in with GitHub
      • Sign in with LinkedIn
    • Manage Your Profile
    • Forgot Password
    • Have a question
    • Log Out
  • Individual Dashboard (MyProfile)
    • Release Notes
      • V0.7.0
      • V0.6.25 and V0.6.26
    • Quick Start Guide
      • Home Page
      • Profile
      • LF Events
      • Meetings
      • My Insights Beta Version
      • Purchases
      • Settings
    • Home Page
    • Share Your Experience- Help Us Improve
    • Profile
      • Badges and Skills
      • Open Source Event Speaking Experience
      • Technical Contributors
      • Linux Foundation & Project Issued Certifications
      • Training Enrollment
      • Community Roles
      • Supported Projects
    • Meetings
      • Find Your Host Key
    • My Insights Beta Version
    • LF Events
      • Registered
      • Past
      • Visa Letters
        • Updating Visa Letter Application
      • Travel Funding
        • Community Events Funding
    • Purchases
      • Coupons
      • Transactions
      • Individual Enrollments
      • Purchase a Linux.com Email
    • Data and Privacy
      • Data Visibility
    • Showcase your Maintainer Badges in LFX NOW!
      • Maintainer Badge LFX Support
      • What do I have to do as a Project Administrator?
    • Settings
      • Password
      • Manage Profile Visibility
      • Basic Information
      • Email Management
        • Email Preferences
      • My Work History
    • TUX Rewards FAQs
  • Community Data Platform
    • Quick Start Guide
    • Accessing Community Data Platform
    • Project Groups Page
      • My project groups
    • Integrations
      • GitHub Integration
      • Git Integration
      • Gerrit
      • Groups.Io
      • Confluence
      • Slack
      • X/Twitter Integration
      • Reddit Integration
      • Discord Integration
      • LinkedIn Integration
      • Cvent Integration
      • Training and Certifications
      • Dev Integration
      • Hacker News integration
      • Stack Overflow
    • FAQs
  • Project Control Center
    • Release Notes
    • V2 (Latest Version)
      • Overview
      • Homepage
      • Reports
        • Health Metrics
          • Participating Organization
          • Net Promoter Score (NPS)
          • Membership Churn
          • Outstanding Balance
          • Events
          • Training and Certifications
          • Code Contributions
          • Board Meeting Participation
          • Mailing Lists
          • Marketing
        • Marketing Metrics
      • Operations
        • Project Definition
        • Membership
        • Domains
        • Cloud Providers
        • User permissions
      • Collaborations
        • Committees
          • Adding a Committee
          • Adding Members to a Committee
          • Sending Emails to Committee Members
          • Deleting a Member from a Committee
          • Managing Committees
        • Meetings
          • Scheduling a Meeting
          • Manage Meetings
          • Clone Meetings
          • Cancel Meetings
          • Add Documents to Past Meetings
          • Verify Meeting Participants
          • Sending Emails to Meeting Attendees
          • Meeting FAQs
        • Wiki
        • Issue Tracker
        • Voting
        • Mailing Lists
        • Surveys
      • Bookmarks
      • PCC FAQs
        • Meetings FAQs
    • V1 (Prior Version)
      • Release Notes
        • PCC V1.6.6 Release
        • PCC V1.6.5 Release
        • PCC V1.6.4 Release
        • PCC V1.6.3 Release
        • PCC V1.6.0 Release
        • PCC V1.5.1 Release
        • PCC - V1.4 Release
        • PCC - June 28/2022 Release
        • PCC - April 20/2022 Release
        • PCC - March 15/2022 Release
      • Overview
      • PCC Dashboard
      • Role-Based Access Control
        • Roles and Permissions for Project Setup
        • Roles and Permissions for IT Services
      • Adding a Main Project
      • Operations for a Project
        • Project Definition for a Project
        • Legal Setup for a Project
        • Membership Setup for a Project
        • Setting up a Domain for a Project
          • Transferring a Domain
          • Redirecting Your Domain
          • Adding a Service Record
          • Setting up the Email Services
        • Cloud Providers
      • Collaboration Services for a Project
        • Committees Setup for a Project
        • Mailing List
        • Issue Tracker for a Project
        • Setting up Wiki
        • Meeting Management
      • Development
        • Source Control
      • LFX Tools
        • Security
          • Onboarding Projects from GitHub
          • Manage Vulnerabilities
          • Manage False Positives
            • Regular Expressions Cheat Sheet
            • Ignore.yml File
          • Manage Non Inclusive Naming
        • EasyCLA
  • Organization Dashboard
    • Release Notes
      • Release v1.8.0
      • Release v1.7.0
      • Organization Dashboard - 03/July/2023 Release
      • Organization Dashboard - 03/October/2022 Release
    • What's New
      • Related Company Visibility
    • Access and Permissions
    • Learn About LFX Data
    • Introduction
    • Home page
    • Membership
      • Your Active Memberships
      • Renewing an Expired Membership
      • Discover New Open Source Project
    • Code Contributions
    • Training & Certifications
    • Events
      • Overview
      • Sponsorship Insights
      • Travel Funding
    • Access
    • Users FAQs
    • Profile
    • FAQs
  • Security
    • Release Notes
      • LFX Security V2.0.33 Release
      • LFX Security V2.0.32 Release
      • LFX Security V2.0.31 Release
      • LFX Security V2.0.30 Release
      • LFX Security V2.0.29 Release
      • LFX Security V2.0.28 Release
      • LFX Security V2.0.27 Release
      • LFX Security V2.0.26 Release
    • Overview
    • LFX Security FAQs
    • Onboarding your Project
    • LFX Security Requirements
      • Supported Languages
    • Add a Project to LFX Security
    • Open LFX Security
    • Authorization Page
    • Security Status Overview
    • Investigate and Remediate Vulnerabilities
    • Investigate Dependencies in the Application Dependency Tree
    • Get License Information
  • EasyCLA
    • V2
      • Releases and Known Issues
      • Getting Started
        • Prerequisites
        • EasyCLA Troubleshooting
          • EasyCLA Disabled
        • EasyCLA FAQs
        • EasyCLA Development Components
      • Project Managers
        • Sign in to Project Control Center
        • Set up Project on EasyCLA
        • Create New CLA Group
        • Update Template
        • Add or Remove a Project from CLA Group
        • View and Manage CLA Group Details
        • Add and Manage GitHub Organizations
        • Add and Manage Gerrit Organizations
        • Add and Manage GitLab Groups
        • View Connection Status of Git Organizations and Repositories
        • Enforce or Remove CLA Mechanism
        • Invalidate a Contributor's Signature
        • Uninstall the EasyCLA Application
      • Embargo, Sanction, and OFAC Compliance for Secure CLA Signing
      • Contributors
        • Individual Contributor
        • Corporate Contributor
      • Corporate CLA Managers
        • Sign in to the EasyCLA Corporate Console
        • Coordinate Signing CLA and become initial CLA Manager
        • Add or Delete CLA Managers
        • Approve and Manage Contributors
      • EasyCLA and Co-Author Compliance Guide
      • CCLA Signatories
        • Review and sign a Corporate CLA by Request
      • Configuring Merge Queue on GitHub for Branch Protection
      • Glossary
      • Corporate CLA Console
        • Dashboard
        • Projects
        • Manage your Profile
  • Mentorship
    • Release Version: v1.4.23
    • Program Schedule & Timelines
    • Platform Overview
      • View Mentorship Program Details
      • View Mentor/Mentee Profile
      • Toggle Between Mentorship and Crowdfunding
    • Administrators
      • Enroll Your Program
        • Mentorship Project Enrollment Form
      • Edit a Project
      • Open & Close Mentorship Applications
      • Add Mentors
      • View Mentees for the Selected Program
      • Manage Mentees Applications
      • Manage Mentees Tasks
      • Approve Mentee Stipends
      • How to Contact a Mentee
    • Mentees
      • Create Mentee Profile
      • Apply to Mentorship Program
      • Withdraw your Application
      • View your Application Status
      • Manage Your Tasks
      • Manage Your Mentorship Profile
      • Submit Expensify Report to Receive Mentorship Stipend
    • Mentors
      • Become a Mentor
        • Request to be Added to a Program
        • Admin Invites a Mentor to a Program
      • Review Mentees Applications
      • Manage Mentees Tasks
      • Contact a Mentee
      • Manage Your Mentorship Profile
    • Mentee Stipends
      • Total Stipend Amount
    • Mentee Guide
      • The Linux Foundation Mentorship Program
      • Mentorship Program: How It Works
      • Why Become a Mentee?
      • Mastering Mentorship: Keys to Success in Mentorship
      • Am I Eligible to Become a Mentee?
      • How to Apply
      • Not Selected?
      • Start the Journey
        • What is Expected of You
        • Evaluations
        • How to Graduate Successfully
      • Additional Resources
      • Code of Conduct
      • Mentee FAQs
    • Mentor Guide
      • Introduction
      • Participant Roles
      • Getting Started
        • Why to Become a Mentor
        • Can I be a Mentor?
        • Benefits for Mentors
        • What Makes a Good Mentor
        • How to Select Mentees
      • Mentoring Best Practices
      • Maintain Open Source Culture
      • Start Mentoring
        • Create Project Plan and Prepare Mentees
        • Set Expectations
        • Managing the Project Plan
        • Mentee Evaluations
      • Additional Resources
      • Mentorship FAQs
      • Code of Conduct
    • Mentorship FAQs
    • Mentorship - Get Help
  • Crowdfunding
    • Dashboard Overview
      • Projects
      • Events
      • Travel Funds
      • Security Audit
      • General Funds
      • Integrated Services for a Project
      • Toggle Between Crowdfunding and Mentorship
    • Mandatory Compliance for Crowdfunding
    • Apply for Crowdfunding
      • Add a GitHub Project
      • Add a Git Project
      • Add a Project for Security Audit
      • Add General Fund
      • Add an Event
      • Add a Travel Fund
    • Donate/Sponsor
      • Donate as an Individual
      • Donate as a Sponsor
        • Add, Edit, or Delete an Organization
      • Sponsor Events
    • Register for an Event
    • Project Application
    • Event Application
    • Travel Fund Application
    • Security Audit Application
    • General Fund Application
    • Manage Your Crowdfunding Account
    • Get Reimbursed
    • Submit Travel Funding Reimbursement Expensify Report
    • Create and Submit an Expensify Report
    • Crowdfunding FAQs
    • Crowdfunding - Get Help
  • Linux Foundation Individual Supporter Program
    • Enroll in the Linux Foundation Individual Supporter Program
    • Purchase Lifetime Linux.com Email Alias
Powered by GitBook

Copyright © 2022 The Linux Foundation®. All rights reserved. The Linux Foundation has registered trademarks and uses trademarks.

On this page
  • What is LFX Security?
  • Does LFX Security automatically scan my project’s code?
  • What do Critical/High/Medium/Low Vulnerabilities mean?
  • Who can see LFX Security reports?
  • What languages and programming ecosystems are supported for vulnerability scanning?
  • Why is there a mismatch between "Vulnerabilities Fixed" and "Top 10 projects most active in fixing vulnerabilities"?
  • How are licenses identified?
  • What partners support the LFX Security service?
  • How does LFX Security help a project manage its intellectual property obligations?
  • When is the license information displayed as "Unknown"?
  • When is the license information displayed as empty without any license information?

Was this helpful?

Edit on GitHub
Export as PDF
  1. Security

LFX Security FAQs

PreviousOverviewNextOnboarding your Project

Last updated 8 months ago

Was this helpful?

What is LFX Security?

LFX Security is a comprehensive service designed to assist open-source developers in identifying and addressing security vulnerabilities in their code, ultimately creating more secure software. This service also detects sensitive information, such as code secrets, and non-inclusive language within codebases.

Does LFX Security automatically scan my project’s code?

If your project is in the Linux Foundation database, LFX Security will scan your code weekly. Detected vulnerabilities are added to your project dashboards and classified as critical, high, medium, or low risk using databases like CWE, CVE, and GHSA. You'll get an inventory of dependencies and licenses, including their details. LFX Security also scans for code secrets and non-inclusive language.

What do Critical/High/Medium/Low Vulnerabilities mean?

To understand more about this, please refer to .

Who can see LFX Security reports?

LFX Security fetches the permissions from GitHub and maps those permissions into the following categories:

  • Owner/Admin -> GitHub admin permissions

  • Maintainer -> GitHub maintains permissions

  • Contributor -> GitHub triage, push, pull permissions.

These users are given elevated Contributor/Maintainer permission. They can dismiss irrelevant vulnerability issues, send notifications, and mark issues as false positives.

What languages and programming ecosystems are supported for vulnerability scanning?

Dependency and vulnerability scanning is currently supported for JavaScript, Node.js (npm), Java, Scala, Ruby, Python, Golang, and PHP.

Why is there a mismatch between "Vulnerabilities Fixed" and "Top 10 projects most active in fixing vulnerabilities"?

The Security Leaderboard displays two key metrics: "Vulnerabilities Fixed" and "Top 10 projects most active in fixing vulnerabilities." While these counts should ideally be equal, they often differ due to a specific reason.

Key Points:

• "Vulnerabilities Fixed" count: Represents the total number of unique (distinct) vulnerabilities found across all scanned projects.

• "Top 10 projects most active in fixing vulnerabilities" count: Shows the total number of unique vulnerabilities fixed in the top 10 projects, which may include repeated vulnerabilities from other projects.

Why the Mismatch?

The discrepancy arises from the repetition of vulnerabilities in multiple projects. When these repeated vulnerabilities are counted, the aggregate total is higher than the distinct "Vulnerabilities Fixed" count.

How are licenses identified?

LFX Security uses Snyk to scan a project’s Git-based repository and identify dependencies’ licenses against the SPDX license list. License identification varies by ecosystem, but generally, it is done by reviewing the stated license on the package, retrieving metadata from the registry, and license information in manifest files.

What partners support the LFX Security service?

For LFX Security, we are partnering with a few solutions providers where it makes sense. For example, projects can choose to allocate funds raised through the LFX Funding service to administer bug bounty programs through a partnership with HackerOne. Snyk provides daily vulnerability scanning for all projects on LFX (Funding and Mentorship) to identify vulnerabilities and dependencies — and to help manage Internet Protocol (IP) risk with license verification.

How does LFX Security help a project manage its intellectual property obligations?

LFX Security helps projects manage their intellectual property (IP) obligations in two key ways:

Dependency License Scans

  1. Automatic dependency scans: All projects in LFX Security receive automatic dependency license scans, providing a comprehensive view of direct and indirect third-party dependencies.

  2. License association: Snyk associates licenses with libraries and packages, giving maintainers a clear understanding of the third-party licenses their project relies on.

  3. Compliance and decision-making: This reporting enables projects to:

    • Determine whether to avoid dependencies with incompatible licenses

    • Identify compliance obligations for used dependencies

    • Reproduce necessary license notices when distributing dependencies

EasyCLA (Contributor License Agreement) Service

The Linux Foundation's EasyCLA service addresses the challenges of ensuring contributors assign IP rights to open-source projects. Key features include:

  1. Corporate authority handling: EasyCLA requires corporate agreements to be signed by authorized signatories, enabling companies to control contributor access.

  2. Fine-grained authorization: Companies can specify individual contributors or authorize all employees across a domain name.

  3. Workflow facilitation: EasyCLA ensures code contributions meet requirements, streamlining workflows and ensuring contributor satisfaction.

Availability and Future Plans

The EasyCLA service is initially available to Linux Foundation-hosted projects, with plans to expand to a broader set of projects, including those on LFX Security.

When is the license information displayed as "Unknown"?

The license information is displayed as "Unknown" when the Snyk API cannot find license information and returns an "unknown" value to LFX Security.

When is the license information displayed as empty without any license information?

When the License field is blank, the license information will be displayed as empty. The Snyk API will not be able to retrieve any license details, resulting in the absence of license information.

NVD